Apple Addresses Google Project Zero Report On iOS Security, Calls It Misleading
When the Google Project Zero team announced that it had found a number of security flaws in iOS that could have allowed attackers to compromise devices for years, everyone took notice. But since then, as people have dug into the situation, it became clear that Project Zero’s announcement blog post wasn’t as thorough as it should have been. The websites that were used as the attack vector were not mentioned, and it turns out neither was the fact that Android and Windows were also affected. Now, Apple has weighed in. And it isn’t happy.
In a Newsroom post today, Apple accused Google of “creating the false impression of mass exploitation,” even though that wasn’t the case at all. In fact, the attack was targeting a specific community rather than a wider target.
First, the sophisticated attack was narrowly focused, not a broad-based exploit of iPhones “en masse” as described. The attack affected fewer than a dozen websites that focus on content related to the Uighur community. Regardless of the scale of the attack, we take the safety and security of all users extremely seriously.
Google’s post, issued six months after iOS patches were released, creates the false impression of “mass exploitation” to “monitor the private activities of entire populations in real time,” stoking fear among all iPhone users that their devices had been compromised. This was never the case.
Apple plugged the security hole in iOS 12.1.4 back in February 2019. Google claimed that it notified Apple of the problem, although Apple says that it was already working on a fix. Apple also took umbrage with Google’s claim that the website attacks had been around for two years. Instead, Apple claims, the attacks were only operational for “a brief period.”
Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not “two years” as Google implies. We fixed the vulnerabilities in question in February — working extremely quickly to resolve the issue just 10 days after we learned about it. When Google approached us, we were already in the process of fixing the exploited bugs.
Questions have already been asked about Google’s motives in announcing a security flaw months after it was fixed. The fact that there was no mention of Android, a Google mobile operating system, was also affected but not mentioned just adds fuel to the fire.
Apple, for its part, also took the opportunity to remind readers that its combination of hardware and software enables it to offer stronger security, unlike, say, Google.